Freigeben über


Certificate problems with OCS 2007 - part 1

Oftentimes when deploying OCS 2007 to complex environments something doesn't work as expected. Even more often the culprit is either a certificates issue or AD (and thus, often a DNS) issue.

One of my colleagues had problems when connecting Office Communicator to OCS 2007, using Access Edge. Thus the workstation was outside the company's LAN (and AD), and was running Windows Vista with Internet Explorer 7.0. Most companies choose to deploy OCS 2007 with private certificates, i.e. generating their own rather than shelling out the hard-earner dollars to companies like Verisign.

The problem here is that while the workstation is able to connect, you will see a problem with authentication. Debugging this through OCS 2007 Logging Tool (which, I might add, is excellent) it all boils down to certificate problems - the client doesn't have the CRL (Certificate Revocation List), and IE7 always enforces that by default.

Fix? Uncheck "Check for server certificate revocation" -option from IE7 > Tools > Internet Options > Advanced.

Comments

  • Anonymous
    September 04, 2007
    Uh, wouldn't the correct fix be to make sure the CRL is in an accessible location rather than downgrade security for the entire workstation?

  • Anonymous
    September 04, 2007
    Michael, Absolutely, that's the optimal solution. In certain situations it simply is not possible, though - this fix is towards those situations.

  • Anonymous
    September 13, 2007
    Here seems to be a good place to point out that security usually (always?) contrasts ease of use. Implementing sufficient security should always include evaluating usability of the stuff that is secured. In this respect, I think Microsoft went wrong in more than a couple of places when introducing the new security features in Vista and IE7. It's good that they responded to general mentality of 'IE is buggy and insecure for browsing the internet', but it's really really bad that they, in the process, made surfing the web significantly more difficult, and in some places even impossible. I mean, come on (!), in what universe do I have to start Firefox just to be able to get in to some MSDN or passport protected site that refuses to load because of some IE (default!) security settings that I don't know how to find? At least, when every other windows app also uses the IE module as a proxy, at the very least they could have added some new informative error messages ("To disable the fingerprint scan for accessing www.google.com, open Tools > Internet Options ... or <click here>"). Obviously, all of this will make people flee towards Firefox, ironically, because it's less secure and more usable.

  • Anonymous
    September 13, 2007
    The comment has been removed